Live Music
Archive
Librivox
Free Audio
Metropolitan Museum
Cleveland
Museum of Art
Internet
Arcade
Console Living Room
Open Library
American
Libraries
TV News
Understanding
9/11Heads Open Source Firmware - User Re-Ownership from OEM wizard
Video Item Preview
Share or Embed This Item
- Usage
- Attribution-NoDerivs 4.0 International
- Topics
- MeasuredBoot Heads QubesOS PrivacyBeast X230
- Language
- English
- Item Size
- 654.6M
This is a user walkthrough of the Hardware Re-Ownership Wizard the user is required to go through when receiving Insurgo QubesOS certified PrivacyBeast X230.
The Re-Owning Wizard enforces (CTRL+Click/right-click+open in a new tab the following links or seek to the corresponding timestamp for direct access to proper section in the video):
Qubes related stuff:
The Re-Owning Wizard enforces (CTRL+Click/right-click+open in a new tab the following links or seek to the corresponding timestamp for direct access to proper section in the video):
- Randomization of diceware strong passphrases generation/manual selection, activating one-shot provisioning of the whole wizard (00:27).
- Validation of OEM attested integrity of the firmware and /boot files against detached signed /boot content digest with OEM GPG public key injected in firmware (02:54).
- Reencryption of SSD LUKS containers (QubesOS encrypted installation) and sdcard (storage/retrieval of secrets) (03:09) then forcing passphrase change of both LUKS encrypted containers (25:59).
First reboot. - Factory reset of the previously owned OEM USB Security dongle, generating private keys inside of the GPG smartcard and injects generated public key inside the firmware (27:39).
- After injecting your new public key into the firmware, Heads WARNS YOU that the measurements have been invalidated per flashing, prior of rebooting (51:50).
Descriptive text before reboot warns to Generate a new TOTP/HOTP secret on next step.
Second Reboot. - As expected, Heads is not able to unseal TOTP secret from the TPM since the firmware measurements have changed (52:53).
This step is redoing the resealing of the firmware measurements (attesting that the firmware's have been changed per public key being injected inside of the ROM) into TPM and through HOTP over the USB Security dongle for remote attestation.
Select "Generate a new TOTP/HOTP secret", the default option.
THIS SHOULD NEVER HAPPEN BUT IF YOU UPGRADE THE FIRMWARE, WHICH IS THE CASE HERE.
NO NEED TO SCAN QR CODE HERE. Scan on next step (TPM reownership).
Third reboot. - Reown the TPM with user selected passphrase (Same passphrase as GPG Admin PIN). Sealing of firmware measurements, both in the TPM (and over smartphone through the generation of a TPMTOTP QR code) and with the USB Security dongle (through HOTP) (53:50).
- Selection of a new default boot option and generation of a new Disk Unlock Key under Heads, sealed into TPM NV memory, that can only unseal and unlock LUKS encrypted container if firmware measurements, LUKS header and provided Disk Unlock Key passphrase are valid.
Last and Fourth reboot.
Next is booting into QubesOS with chosen Disk Unlock Key passphrase.
The whole process takes around 45 minutes. The user can then boot preinstalled QubesOS.
OEM ReOwnership activation waltkrough can be consulted here.
Code and downloadable reproducible builds of this image can be found here.
Heads pending pull requests are here.
Heads conference/paper is here.
Glitter nail polish as proven Tamper Evidence seal usage is here.
Qubes related stuff:
Stay safe.
